SARIF SAST Scans Tab not showing scan results

nsid123 commented 1 year ago

Hi I added Microsoft Security DevOps task and installed SARIF SAST Scans Tab. I can see the artifacts that is getting generated with the extension msdo.sarif but i am not seeing any output in the Scans tab. It shows a blank page. Could you please help us on this

eli-gc commented 1 year ago

Having this exact issue as well.

tmanor2604 commented 11 months ago

Hi! I also have the same issue. Though .sarif report is available under CodeAnalysisLogs, 'Scans' tab displays blank page

Interface007 commented 11 months ago

I have the same issue - I've checked that my msdo.sarif is a 5KB json file with 4 "message" nodes. In my case, the issue seems that there are only two empty result-nodes "results": [],. In this case, the tab looks like nothing has been scanned, while the result communicated by Microsoft Security DevOps was: "I have scanned with two tools, but there was no finding." - which is a completely different message than "No results found".

So, for clarity, it may be a good option to indicate on the tab that a scan has been done and what tools did report "No results".

winstliu commented 11 months ago

@nsid123, @tmanor2604 - are your scans also coming up with 0 results?

winstliu commented 11 months ago

Also, to make sure we're talking about the same thing when we say "a blank page", screenshots would be helpful!

winstliu commented 11 months ago

Proposed change for when scans run without returning any results: Success message showing "No results found after running 1 scan"

jH- commented 10 months ago

Experiencing this issue in my org's DevOps. Artifacts are generated in the correct location, but the Scans tab is empty (despite results after scanning).

No related errors observed in devtools when inspecting the page. The request you asked to check in the other issue thread (#24 ) does contain the CodeAnalysisLogs item, type: Container. I also went back and checked some retained pipeline runs from july/august; here the scan tab still display the results.

I haven't been able to pinpoint a change after this that could cause this issue, or seem in any way related.

winstliu commented 10 months ago

Thanks @jH-. Do those logs also contain results? Or do they come back "clean" (i.e. successfully scanned, but no results to report)?

jH- commented 10 months ago

@50Wliu They contain results.

tmanor2604 commented 10 months ago

@nsid123, @tmanor2604 - are your scans also coming up with 0 results?

After I moved SARIF results at the root level of CodeAnalysisLogs, I can view results for a Static Code Analysis tool called Coverity but not from another tool called Astree

vdkrobby7 commented 9 months ago

I have the same issue when using a .gdnconfig file for scanning a particular directory.

When I use the generic 'MicrosoftSecurityDevOps@1' task I do get all the scans in both the scan tab and the mdso.sarif file.

Working yaml config:

`pool: vmImage: 'windows-latest' trigger: branches: include:

feature/* steps:
- task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' inputs: categories: 'IaC'`

Results :

Not working yaml & gdnconfig config

`trigger: none pool: vmImage: 'windows-latest' steps:

task: MicrosoftSecurityDevOps@1 displayName: 'Microsoft Security DevOps' inputs: tools: 'TemplateAnalyzer' config: pipelines/test-devsecops.gdnconfig categories: 'IaC'`

gdnconfig file: